Added OIDC scope management (#1049)

* added OIDC scope management

* Remove errant code comment

bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs

@@ -318,6 +318,18 @@ namespace Bit.Core.Business.Sso
                 AuthenticationMethod = config.RedirectBehavior,
                 GetClaimsFromUserInfoEndpoint = config.GetClaimsFromUserInfoEndpoint,
             };
+            if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.OpenId))
+            {
+                oidcOptions.Scope.Add(OpenIdConnectScopes.OpenId);
+            }
+            if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.Email))
+            {
+                oidcOptions.Scope.Add(OpenIdConnectScopes.Email);
+            }
+            if (!oidcOptions.Scope.Contains(OpenIdConnectScopes.Profile))
+            {
+                oidcOptions.Scope.Add(OpenIdConnectScopes.Profile);
+            }
 
             return new DynamicAuthenticationScheme(name, name, typeof(OpenIdConnectHandler),
                 oidcOptions, SsoType.OpenIdConnect);

bitwarden_license/src/Sso/Utilities/OpenIdConnectScopes.cs

@@ -0,0 +1,53 @@
+namespace Bit.Sso.Utilities
+{
+    /// <summary>
+    /// OpenID Connect Clients use scope values as defined in 3.3 of OAuth 2.0
+    /// [RFC6749]. These values represent the standard scope values supported
+    /// by OAuth 2.0 and therefore OIDC.
+    /// </summary>
+    /// <remarks>
+    /// See: https://openid.net/specs/openid-connect-basic-1_0.html#Scopes
+    /// </remarks>
+    public static class OpenIdConnectScopes
+    {
+        /// <summary>
+        /// REQUIRED. Informs the Authorization Server that the Client is making
+        /// an OpenID Connect request. If the openid scope value is not present,
+        /// the behavior is entirely unspecified.
+        /// </summary>
+        public const string OpenId = "openid";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the End-User's default
+        /// profile Claims, which are: name, family_name, given_name,
+        /// middle_name, nickname, preferred_username, profile, picture,
+        /// website, gender, birthdate, zoneinfo, locale, and updated_at.
+        /// </summary>
+        public const string Profile = "profile";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the email and
+        /// email_verified Claims.
+        /// </summary>
+        public const string Email = "email";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the address Claim.
+        /// </summary>
+        public const string Address = "address";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests access to the phone_number and
+        /// phone_number_verified Claims.
+        /// </summary>
+        public const string Phone = "phone";
+
+        /// <summary>
+        /// OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token
+        /// be issued that can be used to obtain an Access Token that grants
+        /// access to the End-User's UserInfo Endpoint even when the End-User is
+        /// not present (not logged in).
+        /// </summary>
+        public const string OfflineAccess = "offline_access";
+    }
+}